Website Hammered by Hotlinking, Spammers, and Free Loaders?

My main site recently was hammered by Hotlinking, Spammers, and Free Loaders. This can happen to any website, so we all need to learn how to keep an eye on potential abuse of our sites.

Hotlinking Images

Hotlinking is the technique of linking to images on your site for use offsite. That’s the simple description. It is the abusive use of your images on other websites. The images linked and used are not limited to just the pictures on your posts, but the graphics used within your site such as background graphics, the header, logos, any image on your site.

By linking to your image, they get to use your image, usually without permission, but they also get to use your bandwidth and server space. The link goes out from their site to your site where you have the image stored and the image then is used on their site. The costs associated with a website are a combination of space and bandwidth. When others use your stored images, they are using your storage space. When they link to your images, they are using your bandwidth, not theirs. So you are paying for their use of your images in more ways than one. Some of the most notorious hotlinkers are those who want to use your images without permission (but we haven’t really stolen it, have we?) and those without storage space of their own.

How do you know you have your images hotlinked? Your server should allow you access to your statistics and site reports. These are also called Logs, Access Logs, or Bandwidth Logs. You will need to start your detective work there.

There are several places to look for clues that your images are being hotlinked. Look for sections related to the files being accessed, often called the most accessed pages, urls, files, or file types. If these sections list specific files, you can see how often a file has been accessed. If an image is getting a lot of access time but the page on which you have the image isn’t, then be suspicious.

To put a stop to hotlinking on your site, start with your server options. Check with the server to see if they have a feature for preventing hotlinking. If not, then you can add your own prevention by editing the .htaccess file in your root directory.

For information on changing the .htaccess file, these helpful articles.

Spammers: Comment Spammers, Site Spammers, Email Spammers

Remember Spam, that nasty stuff created to serve the military as something-that-might-be-meat-in-a-can? Besides the fact that my father happens to like it, this is considered of the nastiest things on the planet made by man, so the term has migrated over to label the nastiest things found on the Internet.

Email spam was the first big nasty on the Internet. Unwanted email slinking into your inbox promoting all things greed, sex, and snake oil. Email addresses were generated by computers putting names and email services together randomly, as well as found and harvested from chats, forums, and websites.

To protect your email on your website, you can do a variety of things. One of the easiest is to obfuscate your email address when you use it manually. For example, my email address is: lorelle@cameraontheroad.com.

While you see it on the screen as “right”, this is what it really looks like (spaces required to make this visible here):

You can create your own from one of the links below and save it in a text file ready to paste into your site whenever you need it.

WordPress users have it even better. Using template tags on template files, the email address is pulled from the database, which helps to hide it from the email harvesters. You can also use WordPress plugins like Coffee2Code Obfuscate Email WordPress Plugin which will automatically rewrite your email address into character codes.

From email, the spammers have expanded to attack comments on interactive websites. Lucikly, WordPress and other blogging software programs are fighting back so there is often little you need to do. Comments that are “questionable” are automatically stopped or put into the Comment Moderation panel, awaiting your review and approval. Users of WordPressMU, like wordpress.com, are usually protected by Bad Behavior – Comment Spam WordPress Plugin and/or Spam Karma 2, two of the top comment spam fighting tools. If you are running the full version of WordPress, consider adding those anti-comment spam plugins to your site.

As a last warning, be wary of nice comments left on your site. These are often caught by the good spam catchers, but some slip through. They often say things like “I can tell you’ve put a lot of work into your site,” and “I’m going to tell my friends about this. Thanks!” Check the email address and link address to see if it is valid and a link to someone who really cares or a potential comment spammer. If it is questionable, delete it.

Free Loaders: Website Users and Abusers

A more difficult to track form of abuse of your website is freeloading, also known as silent spamming and referral spam. Silent spamming is when freeloaders take advantage of your website by registering as “members” on your site or tapping into your guest book which might not show up on your site or in your comment moderation, but their website is listed and search engines find it. It is considered a link by the search engines, and the more links to a site, the better the page ranking in search engines.

WordPress helps to combat this by using a nofollow tag in a link which instructs search engines not to follow a web page address link in comments.

Another method of silent spamming is called referral spam. If you publish your site statistics or referrals, or use one of the popular site statistic analyzing programs, like Webalizer, abusers can use their spiders and robots to access this information and use the referrer links in the statistics to link to other sites, using your site as a giant link spider launching point. This is also known as backlinking.

How do you know if you have been hit by one of these silent spammers and abusers? Again, check your site statistics. If you are suddenly getting a boost in traffic, and Slashdot hasn’t highlighted your site, then this unusual traffic could be a sign of referrer spam.

To my delight recently, I witnessed a big jump in traffic. To my dismay, it turned out that this increase in traffic and hits on my database was actually freeloaders and website abusers using referrals and other methods of taking advantage of my site and bandwidth. I dug into my site statistics and found under my top hosts stats, an amazing amount of traffic from only a few sites. Here is the list of the top hosts on my site. To avoid promoting them, I’ve censored part of their IP addresses.

IP Address

Pages

Hits

Bandwidth

70.85.XXX.XXX

5319

5319

440.00 MB

216.195.XXX.XXX

5304

5304

435.96 MB

216.195.XXX.XXX

4711

4711

386.68 MB

64.124.XXX.XXX

878

878

35.79 MB

69.28.XXX.XXX

379

379

31.24 MB

65.19.XXX.XXX

359

359

24.08 MB

I don’t have to be a rocket scientist to see that there is a big gulf between 35 and 386 megabytes. That’s over a 10 times increase. The jump from 878 hits to 4,711 is also a definite clue that something abnormal is going on.

A check on these IP addresses lead to a marketing company and two porno sites. Not the kind of people I want to invest my hard earned money into supporting on my website.

To stop these site leeches and freeloaders, contact your server to find out what services they have available to deny access or ban IP addresses. You can also set up deny access commands in your .htaccess file. To track them, learn to read your site statistics and logs. For more information, see:

The Moral of the Story?

Evil doers and abusers are part of being human. Unfortunately, part of being human means being aware and informed on how the abusers work so you can do what you can to protect yourself.

Learn how to use your site statistics to monitor what is going on regularly. In an upcoming post, I’ll talk more about what you can learn, good and bad, about your site statistics, but for now, play Sherlock Holmes and keep an eye out for the bad guys who are abusing your site and stop them.

The only way the bad guys can be put out of business is if we stop them when they start, prevent them before they start, and make their income dry up completely.

15 Comments

None of the five links in the email address obfuscation section refer to CSS methods of obfuscation. See my link for one of them and so far I have seen five other different CSS methods in action, though instead of listing (spamming?) them here you’ll find them in a post at the “emailaddresses” forum.

The methods above do use obfuscation, including the use of character codes to replace text. Your method is interesting, but how does it really work? Do you wrap the results in a mailto link? The key to the above character entities techniques is that the email appears as text in the browser, and if you copy it from the browser screen to paste it in an email, it will continue to appear like a legitimate email address.

Your method pastes in as code which makes the user work harder by having to type in the email from the browser into the email program, switching windows back and forth if the email address is complicated or has funny spellings like tu30slfkup@hrnt45.com.

But it is certainly interesting. For the truly paranoid, it is a good option.

Great site, I love it. I have a friend who has a site and, he said he liked the site too.

j/k ..But seriously, I’m having a big problem with people hotlinking my wmv and avi files, I’ve tried setting up an htaccess file to stop it but it doesn’t work – actually it works, but it stops my own site from using the wmv files. I know it can do it with images, but does htaccess work with wmv/mp3 files?

Try a search for “.htaccess allow deny avi mpg” and see if you find a solution there. Maybe someone else will have the answer if what you have been doing with the .htaccess files hasn’t been working. I would assume that stopping the hotlinking of jpgs, gifs, and pngs would be the same as stopping avi files. I don’t work directly with them so I don’t have an answer on this one.

Someone challenged me to make the CSS mini text-logo obfuscation method clickable without using javascript. As my link shows, I did it, at least for IE and Firefox. For other browsers it links to an audio recording of the address being spoken.
If you’re examining the source code – for Firefox I use an XBL binding which encloses the static link inside an anonymously generated mailto link from a separate example.xml file, and for IE I use a background url(mailto: CSS trick for styling the ACTIVE link (which is the same as if it has been clicked) from the separate example.css file.

Hi Lorelle- I just got back from Wordcamp. Thanks for your great presentation and your insights! I’m now looking at my blog with a more critical eye and this morning found some inbound links that may be a little iffy. Or not, I’m not sure. Could it be some sort of spam or just bad writing? Your post here and Matt Cutts’ presentation on Saturday have me on my guard. I have 2 new sites linking back to me and they look like blogpost aggregators. Kinda crappy design (but that’s so subjective), kinda ambiguous “who I am” info. Is there anywhere I can go where the Whitehat SEO experts and WordPress community experts meet, so I can get someone’s opinion on these inbound links?

You don’t need to go anywhere. Check out the sites. If you don’t like them, remove their trackbacks. If they are linking to you and while you don’t like them, they aren’t stealing your blog content, ignore them. There is nothing you can do.

[…] Then one day I got hit by about 25 viagra/casino spams. While these were caught by WordPress comment spam filters, they showed up in pink using ColdForged’s Paged Comment Editing Plugin. The monsters were in my spam catching database, eating up valuable space on my server. Well, not really but I was angry anyway. Remember, I’m paranoid about comment spam. After several months with only the occasional irritant, I was pissed, so I added the Bad Behavior Comment Spam Plugin. […]

[…] To find out if your images have been stolen and used without permission, search Google Images to see if your image is listed and who is linking to it. Also check your server report to find out if someone is hotlinking, linking to an image on your site using your bandwidth. […]

[…] Lorelle on WordPress if others are interested in this issue. She has some good information on hotlinking and how to find out if this is happening to you as well as good steps on on what to do if someone steals your […]

[…] Lorelle on WordPress if others are interested in this issue. She has some good information on hotlinking and how to find out if this is happening to you as well as good steps on on what to do if someone steals your […]